DNS server
A DNS server is needed to resolve hostnames and reverse DNS queries.
You need a DNS server to handle the DNS requests from Red Hat OpenShift Container Platform (OpenShift). DNS name resolution and reverse DNS resolution are required for the following components:
-
The Kubernetes API
-
The OpenShift application placeholder.
-
The bootstrap, control plane, and compute plane.
The reverse records are important because Red Hat Enterprise Linux CoreOS (RHCOS) uses them to set the host names for all nodes unless the host names are already provided by DHCP. Also, the reverse records are used to generate the certificate signing requests (CSR) that OpenShift requires for operation.
-
DNS A/AAAA or CNAME records are used for name resolution.
-
PTR records are used for reverse name resolution.
Installation
Perform on bastion guest:
-
Install the bind9 service.
yum install bind bind-utils -
Back up the original
named.conf.cp /etc/named.conf /etc/named.conf.orig -
Create zone-files
sa.boe.dbandsa.boe.revunder/var/named/. Copy from the Example configuration files. -
Verify the zone-files.
named-checkzone sa.boe sa.boe.db named-checkzone 10.in-addr.arpa sa.boe.rev -
Edit
named.confand add the zones. Copy from the Example configuration files. -
Verify the configuration file
named.conf:named-checkconf /etc/named.conf -
Configure the firewall rules:
firewall-cmd --zone=public --add-service=dns --permanent firewall-cmd --reload -
Assign a static IP addresses to the interface that will serve DNS (as dhcp is not yet setup for this network).
nmcli c modify PROFILE ipv4.addresses 10.128.0.1/14 ipv4.method manual -
Enable and start of the service.
systemctl enable named --now systemctl status named
Send DNS-server per DHCP and fix MultiNIC issue
There can be problems if there are two NICs with DHCP, and one DHCP answer sends a DNS-server
with it and the other doesn't. This is why both DHCP-servers send the same DNS-Server IP address:
10.128.0.1.
-
Shut down the bastion KVM guest, for example, (perform on one OpenShift LPAR) with
pcs resource disable bastion-guest. -
Edit the default KVM network on all OpenShift LPARs and add this line:
<dnsmasq:option value='dhcp-option=option:dns-server,10.128.0.1'/>virsh net-edit default # after editing, restart network: virsh net-destroy default virsh net-start defaultThe location where to add this line in the file can be seen in the comment in Base installation, Base KVM network, step 1.
-
Bring up the bastion KVM guest, for example, with
pcs resource enable bastion-guest.
Example configuration files
sa.boe.db
$TTL 1W
@ IN SOA ns1.sa.boe. root (
2022250200 ; serial
3H ; refresh (3 hours)
30M ; retry (30 minutes)
2W ; expiry (2 weeks)
1W ) ; minimum (1 week)
IN NS ns1.sa.boe.
; IN MX 10 smtp.sa.boe.
;
bastion.sa.boe. IN A 10.128.0.1
;
ns1.sa.boe. IN A 10.128.0.1
;smtp.sa.boe. IN A 10.128.0.1
;
;helper.sa.boe. IN A 192.168.1.5
;
api.ocp0.sa.boe. IN A 10.131.0.1
api-int.ocp0.sa.boe. IN A 10.131.0.1
;
*.apps.ocp0.sa.boe. IN A 10.131.0.1
;
bootstrap.ocp0.sa.boe. IN A 10.128.0.96
;
control0.ocp0.sa.boe. IN A 10.128.0.97
control1.ocp0.sa.boe. IN A 10.128.0.98
control2.ocp0.sa.boe. IN A 10.128.0.99
;
compute0.ocp0.sa.boe. IN A 10.128.0.10
compute1.ocp0.sa.boe. IN A 10.128.0.11
;
;EOFsa.boe.rev
$TTL 1W
@ IN SOA ns1.sa.boe. root (
2022250200 ; serial
3H ; refresh (3 hours)
30M ; retry (30 minutes)
2W ; expiry (2 weeks)
1W ) ; minimum (1 week)
IN NS ns1.sa.boe.
;
1.0.131.10.in-addr.arpa. IN PTR api.ocp0.sa.boe.
1.0.131.10.in-addr.arpa. IN PTR api-int.ocp0.sa.boe.
;
96.0.128.10.in-addr.arpa. IN PTR bootstrap.ocp0.sa.boe.
;
97.0.128.10.in-addr.arpa. IN PTR control0.ocp0.sa.boe.
98.0.128.10.in-addr.arpa. IN PTR control1.ocp0.sa.boe.
99.0.128.10.in-addr.arpa. IN PTR control2.ocp0.sa.boe.
;
10.0.128.10.in-addr.arpa. IN PTR compute0.ocp0.sa.boe.
11.0.128.10.in-addr.arpa. IN PTR compute1.ocp0.sa.boe.
;
;EOFnamed.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 10.128.0.1; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { goodclients; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
# disable dnssec
# don't see a way yet to get dnssec disabled just for the DNS
# server running on our gateway
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//zone "." IN {
// type hint;
// file "named.ca";
//};
// Access Control List (Whitelist)
acl goodclients {
localhost;
10.128.0.0/14;
};
//forward zone
zone "example.com" IN {
type forward;
forward only;
forwarders { 172.18.0.1; };
};
//forward zone
zone "sa.boe" IN {
type master;
file "sa.boe.db";
allow-update { none; };
allow-query { any; };
};
//backward zone
zone "0.128.10.in-addr.arpa" IN {
type master;
file "sa.boe.rev";
allow-update { none; };
allow-query { any; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";